Day: December 10, 2015

The FTC brought an administrative action against LabMD, a Georgia based medical testing lab, because of a security incident occurring within the company. A decision by the administrative law judge came out recently essentially saying the FTC failed to carry their burden in proving actual or likely substantial harm to consumers.1)See “Initial Decision Docket No. 9357” at 88, available at https://www.ftc.gov/system/files/documents/cases/151113labmd_decision.pdf. The dismissal is, of course, now on appeal to the commission, but I think LabMD is not very important because it is based on bad facts for an enforcement action. The only thing LabMD might stand for is the severe financial consequences of having to fight an FTC action even if your company’s failure did not actually hurt anyone (LabMD is essentially out of business now, and winding up operations). Wyndham, on the other hand, is a clear warning of the terrible consequences that come when the FTC takes issue with your cybersecurity failures – consequences which may include having the FTC looking over your shoulder for decades should you lose or settle.

As I wrote previously, the Wyndham case is a much more important precedent with implications for cybersecurity practices and data breach responses.2)See “Understanding the Implications of FTC v. Wyndham on Data Security Practices, available at http://hanrylaw.com/2015/09/11/understanding-the-implications-of-ftc-v-wyndham-on-data-security-practices/ . In fact, the FTC and Wyndham have proposed a settlement that is now awaiting court approval.3)See “Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk”, available at https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment . The Settlement terms give a glimpse into what standards the FTC will be holding other companies to in the aftermath of a data breach.4)See “Wyndham’s settlement with the FTC: What it means for businesses – and consumers”, available at https://www.ftc.gov/news-events/blogs/business-blog/2015/12/wyndhams-settlement-ftc-what-it-means-businesses-consumers .

 

Wyndham Settlement

The settlement imposes a rigorous set of actions that Wyndham must take over the next twenty (20) years.5)See “Proposed Stipulated Order For Injunction”, available at https://www.ftc.gov/system/files/documents/cases/wyndhamproposedstiporderfullyexecuted.pdf .

Wyndham will be required to establish a “comprehensive information security program” that is “fully documented in writing” and consisting of “administrative, technical, and physical safeguards” appropriate to its size, complexity, the scope of its activities, and the sensitivity of data it holds.6)Id. at 4-5. This program will also mandate designated employees that are accountable for its implementation and oversight, ongoing risk assessments, implementing safeguards to control risk identified in the assessments, to enforce similar requirements on vendors it uses, and to continuously update its program based on results from mandated monitoring/testing.7)Id. at 5-6.

Wyndham must also conduct annual assessments using qualified assessors to ensure its compliance with relevant security standards “at least as thorough as Version 2.0 of the PCI DSS Risk Assessment Guidelines.” 8)Id. at 7. In the event of a sufficiently large breach, they will be obligated to commission, “a PCI Forensic Investigator Final Incident Report”.9)Id. at 8.

Ongoing reporting and recordkeeping requirements are imposed including notification requirements.10)Id. at 11-12. The most problematic requirement, however, is that the order would permit the Commission, “to seek discovery, without further leave of Court” under the various Federal Rules of Civil Procedure that deal with discovery for a period of at least 23 years.11)Id. at 13 (describing section VI. “Compliance Monitoring” applies as long as Wyndham is subject to any obligations in parts I or II of the order plus three years thereafter, and part I has a 20 year duration).

Conclusion

The settlement’s prescribed “comprehensive information security program” is something Wyndham should have had in place regardless. These programs and their constituent policies are reasonable and necessary efforts that all companies should have. The requirements in that portion of the proposed order are very much in line with recommendations being drafted by the data breach response brainstorming group in the Sedona Conference Working Group 11 (disclosure statement: I am part of the brainstorming group drafting those recommendations). The unfortunateness of Wyndham’s position is the loss of some control over its policies and the additional requirements imposed on it by the remainder of the proposed order.

In my opinion, Wyndham stands for the proposition that the innocent age when cybersecurity issues could be glossed over has passed. The numerous high profile data breaches over the past two years alone have raised public awareness and concern. Regulators have clearly taken notice on both the state and federal levels, and enforcement actions are going to become more common when companies do not take reasonable steps to address cybersecurity, data breach response planning, and consumer protection.  People may hate paying lawyers, but an ounce of prevention is definitely worth at least a pound of litigation later in the cybersecurity and data breach arena.

References   [ + ]

1.See “Initial Decision Docket No. 9357” at 88, available at https://www.ftc.gov/system/files/documents/cases/151113labmd_decision.pdf.
2.See “Understanding the Implications of FTC v. Wyndham on Data Security Practices, available at http://hanrylaw.com/2015/09/11/understanding-the-implications-of-ftc-v-wyndham-on-data-security-practices/ .
3.See “Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk”, available at https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment .
4.See “Wyndham’s settlement with the FTC: What it means for businesses – and consumers”, available at https://www.ftc.gov/news-events/blogs/business-blog/2015/12/wyndhams-settlement-ftc-what-it-means-businesses-consumers .
5.See “Proposed Stipulated Order For Injunction”, available at https://www.ftc.gov/system/files/documents/cases/wyndhamproposedstiporderfullyexecuted.pdf .
6.Id. at 4-5.
7.Id. at 5-6.
8.Id. at 7.
9.Id. at 8.
10.Id. at 11-12.
11.Id. at 13 (describing section VI. “Compliance Monitoring” applies as long as Wyndham is subject to any obligations in parts I or II of the order plus three years thereafter, and part I has a 20 year duration).

Motor Carriers, that is interstate trucking companies, are granted the valuable right to define their relationship with shippers through a tariff, which is essentially a document setting out the rates, rules, and classifications pertaining to a shipment of goods.  At one time truckers were required to file these tariffs with the Interstate Commerce Commission (I.C.C.), but today they no longer have to file the tariffs anywhere.  However, the tariffs must be produced to any shipper who requests them.  The most critical element of a tariff will typically be the limitation of liability.

The power of a properly maintained tariff is illustrated by Tronosjet Maint., Inc. v. Con-Way Freight, Inc..[1]  Tronosjet shipped some equipment using Con-Way, the motor carrier, and the equipment arrived damaged.  Tronosjet filed its claim first with Con-Way, and then in court, seeking the full value of the damaged cargo, which was $165,000, “plus reasonable and necessary incidental damages.”  Since Con-Way maintained a tariff—that is, since Con-Way created a document containing its standard terms and conditions and incorporated it, or referred to it, in the bill of lading—Con-Way succeeded in court on a quick and easy motion in which its liability was capped at $819.71.  The Tronosjet decision was issued as a memorandum opinion, which essentially indicates that the decision was an easy one for the court.

The decision was easy for the Tronosjet court, and hundreds like it, because the motor carrier (1) created a tariff, (2) put the tariff on its website, (3) allowed a space on the bill of lading for the shipper to declare the value of the goods and agree to pay for the increased insurance to cover the full value of the goods, and (4) issued the completed bill of lading prior to the beginning of the shipment.  Other trucking companies which adopt these same practices will also be able to avoid drawn-out, contentious litigation with their customers in lieu of a quick, predictable claims process.

The recommended four-step safe harbor is a response to the popular test derived from the case Hughes v. United Van Lines, Inc.[2]  Under the Hughes test, a carrier could limit its liability if it (1) maintained a tariff within the prescribed guidelines of the Interstate Commerce Commission; (2) obtained the shipper’s agreement as to her choice of liability; (3) gave the shipper a reasonable opportunity to choose between two or more levels of liability; and (4) issued a receipt or bill of lading prior to moving the shipment.  Since the I.C.C. was abolished in 1995, a carrier now only needs to make its tariff available to a requesting shipper in order to satisfy the first prong.  Nonetheless, a carrier can eliminate any doubt as to whether or not its tariff was made available by simply putting its tariff on its website.  Consider the “Tariff Library” made available on the website of Con-Way’s successor, XPO Logistics, available at http://xpo.com/content/tariff-library.

The American Moving and Storage Association (AMSA) provides valuable guidance on creating a tariff, though, notably, they do recommend legal guidance because of the various regulatory requirements.  The AMSA guidance should be available at http://www.promover.org/content.asp?pl=62&sl=3&contentid=164.

Finally, the carrier is required to provide a choice to the shipper of different levels of coverage.  The most-recognized, approved method of doing so is by allowing the shipper to declare a value of the goods on the bill of lading.  The concept is that if the shipper does not declare a value, the shipper is choosing the default option, which is the lowest limitation of liability applicable to the particular class of goods being shipped.  A number of carriers will provide a section on declared value in their tariffs specifying these defaults.  Additionally, the Standard Trucking Bill of Lading (STBOL) provides in its terms and conditions that the carrier will not be liable for any item of extraordinary value not specified in the bill of lading.  The space to declare a value is copied below, as it appears on the STBOL.

shipping hrt

Of course, a tariff provides the trucking company the ability to address many issues beyond simply limitation of liability.  These include but are not limited to specifying the claim process and procedures (within certain limits), detention charges and FSC fuel charges, procedures for handling hazardous materials and other dangerous shipments, and inspection procedures.

Tariffs and limitations of liability become exponentially more significant as a motor carrier adds customers.  Nonetheless, a properly maintained tariff can be valuable for even the smallest of mom and pop motor carriers.

 

[1] 2011 U.S. Dist. LEXIS 84503, 2011 WL 3322800 (S.D. Tex – Hous. Aug. 2, 2011).

[2] 829 F.2d 1407, 1415 (7th Cir.1987), cert. denied, 485 U.S. 913, 108 S.Ct. 1068, 99 L. Ed.2d 248 (1988)).